SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lazycat (Back to overview)

LazyCat

Actor(s): Leviathan


There is no description at this point.

References
2020-09-24MicrosoftBen Koehl, Joe Hannon, Microsoft Identity Security Team
@online{koehl:20200924:microsoft:adbe527, author = {Ben Koehl and Joe Hannon and Microsoft Identity Security Team}, title = {{Microsoft Security—detecting empires in the cloud}}, date = {2020-09-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/}, language = {English}, urldate = {2020-09-24} } Microsoft Security—detecting empires in the cloud
CACTUSTORCH LazyCat Leviathan
2019-02-26YoroiZLAB-Yoroi
@online{zlabyoroi:20190226:arsenal:ce0227f, author = {ZLAB-Yoroi}, title = {{The Arsenal Behind the Australian Parliament Hack}}, date = {2019-02-26}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/}, language = {English}, urldate = {2020-01-13} } The Arsenal Behind the Australian Parliament Hack
LazyCat powerkatz Unidentified 057
Yara Rules
[TLP:WHITE] win_lazycat_w0 (20190403 | Yara Rule for LazyCat)
import "pe"

rule win_lazycat_w0 {

    meta:
        description = "Yara Rule for LazyCat"
        author = "Cybaze Zlab_Yoroi"
        last_updated = "2019_02_22"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat"
        malpedia_version = "20190403"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $a = "LazyCat"
        $b = {48 74 74 70 53 65 72 76 65 72 4C 6F}
	$c = {0A 58 73 9E 00 00 0A 2A 0F 00 28 B0}
	$d = {80 A1 4E CD 13 56 80 9F}

    condition:
        pe.number_of_sections == 3 and pe.machine == pe.MACHINE_I386 and (($b and $c and $d) or ($a))
}
Download all Yara Rules